In today’s technological climate, we as consumers may feel more unsafe than ever regarding the security of our personal information; in 2016 UK companies lost over £1 Billion to cybercriminals who had access to social security, addresses, names and other details of those whom the companies held data about. With this in mind, it is paramount that the new General Data Protection Regulations (GDPR) outline clear and stringent protocols for companies to comply with, to ensure the way in which data is protected is efficient and secure. This begs the question as to what extent the GDPR will guarantee this where the Data Protection Act 1998 (DPA) did not already do so before? What can businesses and consumers alike expect from the GDPR and the way in which personal data is to be handled when it is enforced in May 2018?
The Data Protection Act 1998
To be able to understand how data protection has progressed up to this point in line with technological advancement and business growth, a brief overview of the DPA is necessary, and this will proceed to developing an understanding of where the GDPR will be taking us in the future pursuant to its enforcement. The DPA encompassed several data protection principles about how information should be handled including being fair and lawful, the purposes, retention and rights, amongst others. These were intended to enshrine the legal rights of persons whom a company acquired and held the personal information of, and controlled the way in which a company could do so. In breach of these principles, a company can expect to face action from the Information Commissioner’s Office (ICO), as was the case for Moneysupermarket.com extremely recently, 20th July 2017, who were fined £80’000 for sending emails to customers who specified that they did not want to receive them. In fact, it is promising to see that over the past 7 years the ICO has collected circa £10 million worth of monetary penalties from numerous companies, and this is amongst other sanctions.
Will the GDPR Make a Difference?
Based on the aforementioned the DPA can be said to have been a significant and effective piece of legislation concerning data protection, so should we be welcoming of the new GDPR in 2018, or rather anxious in the changes it may make?
As an initial point to make, considering the vast developments in both technology and business since the DPA, the introduction of new regulations should certainly refresh regulations in line with current capabilities of technology and businesses with regards to personal data. With the capacity to handle and store millions of pieces of personal data at any one time, and SMEs (small and medium sized enterprises) having these capacities where at the turn of the century this was exclusive to only the largest of businesses, the GDPR is arguably long overdue, as a high demand has emerged to regulate the fast growing corporate environment we are currently immersed in.
To answer the question in hand, it can be anticipated that the GDPR will make a significant difference to the DPA in terms of its implications, however in terms of the regulation itself and its content, not an awful lot will have changed. Much of the DPA is incorporated into the GDPR, in terms of the principles it lays out, with a couple of notable additions and extra detail. The addition of the principle of accountability appears will be the most significant, requiring companies to demonstrate how exactly they comply with the principles set out. The GDPR has also significantly elaborated on the rights of individuals, creating new rights and strengthening those which already existed, which further ties into additions made in the GDPR such as to lawful processing and consent. In general, the detail added provides a more extensive and demanding regulatory instrument which covers a range of definitions and principles which will, in turn, expand the scope of regulations over data protection and places much more stringent responsibilities on businesses.
The Future of Data Protection
Looking to May 2018, it is apparent that companies will be in greater anticipation of the new GDPR rather than consumers. With further protection afforded to those whose data is in the hands of businesses, this comes at a strain for such businesses to comply with these firmer and more demanding regulations. With such a short time left to prepare for the introduction of the GDPR and the ICO announcing the dramatic increase in fines for businesses in breach of the regulations, it is essential that businesses are ready for compliance before May 2018 arrives.
Giles Wood (under the supervision of Chris Hunter – Head of Business Development and Digital Services)
rhw Solicitors llp – August 2017